The Perfect Secure Payments Storm

The updated 3D Secure 2.0 protocol and the European Union’s (EU) second Payment Services Directive (PSD2) have delivered a one-two punch for issuers and merchants in order to comply with these new regulatory requirements and network authentication processes.

In a recent digital discussion with Karen Webster, Michael Sass, VP Market Product Management, Security Solutions, Europe, Mastercard, and James Rendell, VP Product Management, Payment Security, CA Technologies, discussed the advantages as well as the obstacles that are still in the way.

Take passwords, for instance.

Sass says weak security challenges like passwords and knowledge-based questions (i.e. “What is your maternal grandfather’s first name?”) will be among the first casualties of the new protocol. In some cases, issuers are already being forced to abandon them.

These methods create friction, he said, by requiring customers to remember and type those passwords into a field on their desktop or mobile device. They are also far less secure than biometric alternatives. As consumers realize this, passwords are falling out of vogue. When given a choice, Sass said, most customers choose a security challenge other than a static password.

Authentication processes as they are today are contributing to an eCommerce cart abandonment rate of around 10 to 15 percent, Sass said, with about 20 percent of authentications failing — leaving customers to drift away, thus losing the transaction for the merchant.

The arrival of 3D Secure 2.0 coincides almost too neatly with the introduction of the EU’s second Payment Services Directive, or PSD2 — a whole new set of regulatory requirements for online payments that 3DS2 addresses. New data points, including location-based information, are provided as part of the 3DS 2.0 protocol.

New biometric authentication methods, such as Face ID, TouchID and Selfie Pay, are beginning to gain traction, with Sass noting that, when used with 3DS2, they can enable a more secure eCommerce experience for consumers and, ultimately, a more frictionless one as well.

Sass, Webster andRendell recently discussed the opportunities and challenges for merchants and issuers now standing at the intersection of digital payments, authentication and biometrics.

Data Trove

The innovation that 3DS 1.0 introduced was putting the cardholder directly in contact with the issuing bank, mid-transaction, to verify their identity.

The direct connection, said Rendell, facilitated a far richer set of metadata and session data to be evaluated by the bank for risk factors when deciding whether to approve or challenge a transaction. The original 3DS drove down fraud instances while simultaneously optimizing the user experience by only challenging the transaction when absolutely necessary, Rendell said.

But it also introduced friction for the consumer — and shopping cart abandonment for the merchant. As a result, in the U.S., the protocol was largely set to the side.

Rendell said that 3DS2 aims to further reduce transaction challenges by using even more data points. Not every merchant will want or need to use every piece of data that’s collected under 3DS2, but there will be much more to choose from depending on each merchant’s needs.

For instance, it may not be necessary to share privacy-sensitive information, such as billing and shipping addresses; but if merchants can at least see whether the two match, that information can help them ward off fraudsters who may be able to fudge the cardholder’s other credentials but are trying to ship the goods to a drop site for resale. Recent changes to profile details, including one’s address, can be a tip-off that an account has been compromised by fraudsters.

Webster noted that the list of data to be gathered is long; are merchants ready to harness that much data to drive decision-making, she wondered?

Rendell said it’s not as onerous as it sounds.

Through the stewardship of international secure payments consortium EMVCo., which manages PIN and chip standards as well as tokenization, many payment providers and merchants provided input as the protocol was developed to ensure that it would meet needs on all sides of the transaction. It was designed for ease of integration on the merchant side with a simple software development kit (SDK) that can be integrated into any merchant’s mobile app to gather the data.

However, he did agree that those who would thrive in the space going forward would be those with the most robust data science capabilities, as they will have the best chance of harnessing the rich data flowing through the new protocol.

Rendell emphasized that these improvements to the 3DS2 protocol will help allay merchant concerns over cart abandonment, conforming well with European-wide PSD2 protocols that are very particular about the circumstances under which transactions must be challenged.

Biometrics

Cardholders and customers are more concerned about the protection of their account and personal data than ever before, with high-level data breaches rattling their trust again and again — Target, Yahoo, Home Depot, Equifax and Whole Foods, just to name a few. In such an environment, any technology that creates a feeling of security is valuable — and one that truly delivers that security becomes even more so.

Biometric authentication does both, said Sass. Banks that offer biometric authentication as an option see a 75 percent adoption rate, on average, over sticking with the old-fashioned static password. And, with a simpler user experience (no typing, just touching a sensor or smiling for the camera), it’s clear that many consumers see no reason not to switch to the new methods.

However ready consumers may be, though, it can take a little nudging to get the issuers moving in the same direction. They are the ones responsible for authenticating the customer, after all, even if the transaction is going through a third-party payment service, such as an eWallet.

Sass said biometrics offer two compelling advantages for banks and merchants.

First, because it’s so much easier to use, biometrics cuts down on eCommerce cart abandonment rates. The rate currently hovers around 15 percent, he said. Among merchants who accept biometric authentication methods, that percentage is 3.

Second, biometrics reduces fraud risk dramatically. Most authentication methods are not 100 percent airtight, Sass said. Static passwords are well-known to be the weakest, but even one-time passwords delivered by SMS messaging are not as secure as once believed.

Fraudsters can take over someone’s phone and receive those messages remotely, Sass explained. Even if the message is not intercepted, as many as 13 percent do not reach the intended recipient. Those factors have been reason enough for some markets to say the one-time password is no longer compliant.

With voice authentication, false authentications occur about once per every thousand instances. With TouchID, the number shrinks to once every 50,000 instances. And with facial recognition (like Apple’s forthcoming Face ID) or Samsung’s iris scan, the newest and most accurate of all, false authentications number just one in a million, according to Sass.

What to Do Next

Getting consumers to enroll in Mastercard’s 3DS Secure Code solution is the first step — a big task.

In Europe, where the 3DS protocol is widely adopted by issuers and has been for quite a long time, Sass said only about half of bank account holders are enrolled, and only about a quarter of eCommerce transactions are verified. As for the merchants, in the U.K., only two-thirds of the top 100 merchants are using Secure Code; in Germany, it’s even less at one-third.

One strategy for getting consumers over the enrollment hump, Sass offered, is to recommend that every issuer enroll every customer in Secure Code as the transition to 3DS2 gets underway using any number of tactics. One bank, Sass said, saw higher cardholder enrollment by initiating pop-up reminders every time the cardholder visited the bank’s website. Enrollment by annoyance, however, is likely not a recommended strategy.

Under 3DS2, Sass mentioned that customers will have the opportunity to whitelist their favorite, most trusted merchants (as long as the issuer has also whitelisted those merchants). That way, despite increasing friction on the first visit to that merchant, the ultimate outcome will be to reduce friction at frequently visited sites, e.g. no challenges, while still ensuring that cardholders are fully protected.

Banks that are already using 3DS won’t have much work to do when it comes time to upgrade to 2.0, and the transition for merchants is designed not to be overtaxing for merchants either, Sass said. The main challenge is sheer volume: Getting cardholders, issuers and merchants around the world on the same page is no small feat.

Rendell’s advice? Do it now.

“The thing is not to wait,” Rendell advised. “If everybody waits until a PSD2 mandate or the date that regulatory tactical standards come into force, and they don’t do anything until that date, it becomes a bigger and bigger task. The earlier they start, the easier it will be.”